Overview

overview

10

Static

static

78aa81912f...ef.dll

windows7-x64

10

78aa81912f...ef.dll

windows10-2004-x64

10

Resubmissions

28-12-2022 22:31

221228-2fqb8sbg86 10

14-12-2022 23:42

221214-3qdxmabd63 10

25-11-2022 08:33

221125-kfz31ahd2z 10

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78aa81912f72c1c1f91ca07a8172387b2694f140e155029e5e913d20b166aeef.dll

  • Size

    340KB

  • MD5

    8cae5869e6826b0b592e5ac2e6eafc19

  • SHA1

    3915ebc715e3ceb76d681048d83e18077d745106

  • SHA256

    78aa81912f72c1c1f91ca07a8172387b2694f140e155029e5e913d20b166aeef

  • SHA512

    14805b1d039e22ac99fba363cd966852d4a19ebeb99547eabc0dc8fed89c70157c2def3f970ec7877653b3568a9aa8d284de4dbca0ee4022f21262829ad6ad02

  • SSDEEP

    6144:knLnX/q0zG+QAx0eW/IS3bgdE+OLz5yT9N6LzKhkYU:kDXg+QA/6b9nn5yJNkYU

Score
10/10
trickbotmon47bankerpackertrojan

Malware Config

Extracted

Family

trickbot

Version

100011

Botnet

mon47

C2

194.5.249.156:443

142.202.191.164:443

193.8.194.96:443

45.155.173.242:443

108.170.20.75:443

185.163.45.138:443

94.140.114.136:443

134.119.186.202:443

200.52.147.93:443

45.230.244.20:443

186.250.157.116:443

186.137.85.76:443

36.94.62.207:443

182.253.107.34:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Templ.dll packer 1 IoCs

    Detects Templ.dll packer which usually loads Trickbot.

    packer
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\78aa81912f72c1c1f91ca07a8172387b2694f140e155029e5e913d20b166aeef.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\78aa81912f72c1c1f91ca07a8172387b2694f140e155029e5e913d20b166aeef.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
          PID:1628
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2004

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1996-54-0x0000000000000000-mapping.dmp
      Download
    • memory/1996-55-0x0000000076031000-0x0000000076033000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1996-56-0x0000000000130000-0x0000000000167000-memory.dmp
      Filesize

      220KB

      Download
    • memory/1996-57-0x00000000002A0000-0x00000000002E1000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1996-60-0x00000000002A0000-0x00000000002E1000-memory.dmp
      Filesize

      260KB

      Download
    • memory/2004-58-0x0000000000000000-mapping.dmp
      Download
    • memory/2004-59-0x0000000000060000-0x0000000000087000-memory.dmp
      Filesize

      156KB

      Download
    • memory/2004-61-0x0000000000060000-0x0000000000087000-memory.dmp
      Filesize

      156KB

      Download